The Mirage file portal runs on Windows Server 2008 or later. You must protect this host from normal OS vulnerabilities.
Use spyware filters, intrusion detection systems, and other security measures mandated by your enterprise policies.
Ensure that all security measures are up-to-date, including OS patches.
Configuration Element |
Description |
---|---|
Code |
MFP01 |
Name |
Keeps the Mirage file portal properly patched. |
Description |
By staying up-to-date on OS patches, OS vulnerabilities are mitigated. |
Risk or control |
If an attacker gains access to the system and reassigns privileges on the Mirage file portal, the attacker can access all files transferring through the Mirage file portal. |
Recommended level |
Enterprise |
Condition or steps |
Employs a system to keep the Mirage file portal up -to-date with patches, in accordance with industry-standard guidelines, or internal guidelines where applicable. |
Configuration Element |
Description |
---|---|
Code |
MFP02 |
Name |
Provide OS protection on the Mirage file portal host. |
Description |
By providing OS-level protection, vulnerabilities to the OS are mitigated. This protection includes antivirus, anti-malware, and other similar measures. |
Risk or control |
If an attacker gains access to the system and reassigns privileges on the Mirage file portal, the attacker can access all files transferring through the Mirage file portal. |
Recommended level |
Enterprise |
Condition or steps |
Provides OS protection, such as antivirus, in accordance with industry-standard guidelines, or internal guidelines where applicable. |
Configuration Element |
Description |
---|---|
Code |
MFP03 |
Name |
Restrict privilege user login. |
Description |
The number of privilege users with permission to log in to the Mirage file portal as an administrator should be minimal. |
Risk or control |
If an unauthorized privilege user gains access to the Mirage file portal then the system is vulnerable to unauthorized modification of downloading files. |
Recommended level |
Enterprise |
Condition or steps |
Create specific privilege login accounts for individuals. Those accounts should be part of the local administrators' group. |
Configuration Element |
Description |
---|---|
Code |
MFP04 |
Name |
Implement an administrative password policy. |
Description |
Set a password policy for all Mirage file portal. The password should include certain parameters.
|
Risk or control |
If an unauthorized privilege user gains access to the Mirage file portal then the system is vulnerable to unauthorized modification. |
Recommended level |
Enterprise |
Condition or steps |
Set a password policy for the Mirage file portal. |
Configuration Element |
Description |
---|---|
Code |
MFP05 |
Name |
Remove unnecessary network protocol. |
Description |
The Mirage file portal only uses IPv4 communication. You should remove other services, such as file and printer sharing of NFS, Samba server, Novell IPX, and so on. |
Risk or control |
If unnecessary protocols are enabled, the Mirage file portal is more vulnerable to network attacks. |
Recommended level |
Enterprise |
Condition or steps |
In the Control Panel or the administrative tool of the Mirage file portal operating system, remove or uninstall unnecessary protocols. |
Configuration Element |
Description |
---|---|
Code |
MFP06 |
Name |
Disable unnecessary services. |
Description |
The Mirage file portal requires a minimal number of services for the OS. When you disable unnecessary services you enhance security. This prevents the services from automatically starting at boot time. |
Risk or control |
If unnecessary services are running, the Mirage file portal is more vulnerable to network attack. |
Recommended level |
Enterprise. |
Condition or steps |
Verify that no server roles are enabled. Disable any services that are not required. There are various Windows services on Server 2008 that start by default and are not required. You should disable these services.
|
The Mirage file portal is generally deployed in a DMZ or an internal data center to control browser access and user data over potentially hostile network, such as the Internet. In a DMZ or internal data center it is important that you use a firewall to control network protocol access.
Configuration Element |
Description |
---|---|
Code |
MFP07 |
Name |
Use an external firewall in the DMZ to control network access. |
Description |
The Mirage file portal is usually deployed in a DMZ. You must control which protocols and network ports are permitted so that communication with Mirage file portal is restricted to the required minimum. Mirage file portal automatically sends requests to .Mirage Management servers within a data center and ensure that all forwarded traffic is on behalf of authenticated users. |
Risk or control |
Allowing unnecessary protocols and ports might increase the possibility of an attack by a malicious user, especially for protocols and ports for network communication from the Internet. |
Recommended level |
Configure a firewall on either side of the Mirage file portal to restrict protocols and network ports to the minimum set required between browsers and Mirage data storage. You should deploy the Mirage file portal on an isolated network to limit the scope of frame broadcasts. This configuration can help prevent a malicious user on the internal network from monitoring communication between the Mirage file portal and the Mirage Management server. You might want to use advanced security features on your network switch to prevent malicious monitoring of Mirage Gateway communication with Mirage servers, and to guard against monitoring attacks, such as ARP Cache Poisoning. |
Parameter or objects configuration |
For more information about the firewall rules that are required for a DMZ deployment, see the VMware Mirage Installation Guide. |
Configuration Element |
Description |
---|---|
Code |
MFP08 |
Name |
Do not use default, self-signed server certificates on theMirage file portal. |
Description |
When you first install the Mirage file portal, the HTTPS server is unable to work until signed certificates are prepared. The Mirage file portal and the HTTPS server require SSL server certificates signed by a commercial Certificate Authority (CA) or an organizational CA. |
Risk or control |
Using self-signed certificates leaves the SSL/TSL connection more vulnerable to man-in-the-middle attacks. Applying certificates to trusted CA signed certificates mitigates the potential for these attacks. |
Recommended level |
Enterprise |
Condition or steps |
For more information about setting up Mirage file portal certificates, see the VMware Mirage Installation Guide. |
Test |
Use a vulnerability scanning tool to connect the Mirage file portal. Verify that it is signed by the appropriate CA. |